Ask LH: How Often Should I Change My Passwords?

Dear Lifehacker, My company and some websites force me to regularly change my passwords, like every three months or so. How often do I need to change my passwords for all my other logins (if at all)? Signed, Stale Passwords

Dear SP,

Lots of organisations require mandatory password changes, because it's long been considered a security "best practice". However, there are pros and cons to that rule, so before you decide if you need to regularly change your other passwords, let's take a look at the times when changing your password often makes sense -- and when it doesn't.

Why Companies Enforce Password Duration Policies

When you change your password every few months, it limits how long a stolen password is useful to a stealthy attacker -- how long he/she has access to your account. If someone steals your password and you don't know about it, the attacker could eavesdrop for an unlimited time and glean all sorts of information about you or do other damage. Photo by Rochelle Hartman

Therefore, for decades, many security guidelines have recommended frequent password changes, usually between 30 and 180 days. Windows Server has a default of 42 days.

However, in most cases, these might now be outdated policies or recommendations. At the very least, it's highly debatable that changing passwords frequently actually does increase security.

Why Changing Your Passwords Often May Be a Waste of Time

[image url="http://img.gawkerassets.com/img/187j08n84k9hmjpg/original.jpg" link="lightbox" small
A Microsoft study a couple of years ago found that mandatory password changes cost billions in lost productivity -- for very little security payoff. Other computer security resources (Purdue University, Health Informatics and Life as a CIO blog, for example) point out that the "best practice" of frequently changing passwords does little to improve security but much to increase everyone's frustration. Users typically end up choosing variations on the same simple passwords (e.g. password3) or resorting to sticky notes taped to their laptops. In other words, in some cases password-changing requirements could actually increase risk. Photo by Mat Walker.

Security expert Bruce Schneier points out that in most cases today attackers won't be passive. If they get your bank account login, they won't wait two months hanging around, but will transfer the money out of your account right away. In the case of private networks, a hacker might be more stealthy and stick around eavesdropping, but he's less likely to continue to use your stolen password and will instead install backdoor access. Regular password changes won't do much for either of those cases. (Of course, in both instances, it's critical to change your password as soon as the security breach is found and the intruder blocked.)

Generally, password expiration periods are not of much help in mitigating cracking because they have such a small effect on the amount of effort an attacker would need to expend, as compared to the effect of other password policy elements. Suppose that an organisation reduced its password expiration period from 60 days to 30 days. An attacker would simply need to use twice the hardware resources to compensate for this change.

Accounts Which You Might Want to Change Your Passwords Regularly

As is usually the case, there are exceptions. For certain types of accounts, hackers may be more likely to "listen in" and silently stick around for months until they glean important information from you. Schneier points out that if your kid sister or the tabloid press (if you're a celebrity of some sort) has your Facebook password, for example, they'll likely listen until you change your password, which could be months or years if you never find out about it.

In general, this is Schneier's advice:

You don't need to regularly change the password to your computer or online financial accounts (including the accounts at retail sites); definitely not for low-security accounts. You should change your corporate login password occasionally, and you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook password. But if you break up with someone you've shared a computer with, change them all.

I would add you might consider regularly changing passwords for communication-type sites that don't have two-factor authentication: email, especially, and things like IM or conferencing services. These are more snoop-friendly services where hackers might listen in for months before you find out. (On the other hand, you reallyshould be using an email service with two-factor authentication, since it's a goldmine for hackers if they can get into it. It's probably the most important account for you to secure, along with your password manager and computer account.) Some services, including Gmail, Facebook and Dropbox, show you active sessions, so as a general security precaution, you can check those to make sure no one else is logging into your accounts.

Above All Else: Beef Up Your Security in General

It's much more important that you choose a unique password for all accounts -- one as long as possible -- and strengthen all your other security options (two-factor authentication, making your password recovery questions unguessable and backing everything up), because, in the end, strong passwords aren't enough -- no matter how often you change them.

If you have any weak or duplicate passwords anywhere, definitely change them as soon as possible. Also consider each regular security breach a reminder to audit and update not just your passwords, but your security setup in general -- if needed. After all of that, enjoy the peace of mind that you're doing the best you can -- and save yourself the hassle of changing all your passwords on a schedule.

Cheers
Lifehacker

Got your own question you want to put to Lifehacker? Send it using our contact tab on the right.

Down Votes

Only logged in users may vote for comments!

Get Permalink

Trending Stories Right Now

I read an email the other day that contained this bummer of a statement. "Cigarettes are the only legal consumer product that, when used as intended, will kill half of all long-term users."
It's not news, but it's true.

Since it launched in 2015, the Australian version of Netflix has been adding a steady stream of content each month. While the selection of movies and TV shows is getting better, it still pales in comparison to the US version due to national licencing deals. Here's how to get the whole US catalogue in Australia - without getting slugged by the exchange rate.